'Log In', 'page callback' => 'ldap_sso_user_login_sso', 'access callback' => '_ldap_authentication_user_access', 'type' => MENU_NORMAL_ITEM, ); return $items; } /** * Implements hook_user_logout(). * * The user just logged out. * */ function ldap_sso_user_logout($account) { $auth_conf = ldap_authentication_get_valid_conf(); if ($auth_conf->seamlessLogin == 1) { $cookie_string = 'do not auto login'; setcookie("seamless_login", $cookie_string, time() + (int)$auth_conf->cookieExpire, base_path(), ""); $_SESSION['seamless_login'] = $cookie_string; } } /** * Implements hook_boot(). * Perform setup tasks. This entry point is used because hook_user_load no * longer runs on anonymous users, and hook_boot is guaranteed to run, * regardless of cache */ function ldap_sso_boot() { if (!drupal_is_cli() && $GLOBALS['user']->uid == 0) { if (!(isset($_COOKIE['seamless_login'])) || $_COOKIE['seamless_login'] == 'auto login') { if ((arg(0) == 'user' && !(is_numeric(arg(1)))) || arg(0) == 'logout' ) { return; } else { if (isset($_COOKIE['seamless_login_attempted'])) $login_attempted = $_COOKIE['seamless_login_attempted']; else { $login_attempted = FALSE; } require_once(DRUPAL_ROOT . '/includes/common.inc'); require_once(DRUPAL_ROOT . '/includes/path.inc'); $ldap_authentication_conf = variable_get('ldap_authentication_conf', array()); if (isset($ldap_authentication_conf['seamlessLogin']) && $ldap_authentication_conf['seamlessLogin'] == 1 && ($login_attempted != 'true')) { setcookie("seamless_login_attempted", 'true', time() + (int)$ldap_authentication_conf['cookieExpire'], base_path(), ""); $_SESSION['seamless_login_attempted'] = $login_attempted; // removed with http://drupal.org/node/1485118 patch //$ldap_sso_q = (!isset($_GET['q']) || $_GET['q'] == '') ? 'user' : $_GET['q']; //drupal_goto('user/login/sso', array('query' => array('destination' => rawurlencode($ldap_sso_q)))); drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE); drupal_goto('user/login/sso', array('query' => drupal_get_destination())); } else { return; } } } } } /** * A proxy function for the actual authentication routine. This is in place * so various implementations of grabbing NTLM credentials can be used and * selected from an administration page. This is the real gatekeeper since * this assumes that any NTLM authentication from the underlying web server * is good enough, and only checks that there are values in place for the * user name, and anything else that is set for a particular implementation. In * the case that there is no credentials set by the underlying web server, the * user is redirected to the normal user login form. * * @return false */ function ldap_sso_user_login_sso() { $auth_conf = ldap_authentication_get_valid_conf(); $implementation = $auth_conf->ldapImplementation; $enabled = $auth_conf->ssoEnabled; if ($enabled == TRUE) { switch ($implementation) { case 'mod_auth_sspi' : $remote_user = FALSE; if (isset($_SERVER['REMOTE_USER'])) { $remote_user = $_SERVER['REMOTE_USER']; } elseif (isset($_SERVER['REDIRECT_REMOTE_USER'])) { $remote_user = $_SERVER['REDIRECT_REMOTE_USER']; } break; case 'mod_auth_kerb' : $remote_user = FALSE; if (isset($_SERVER['REMOTE_USER'])) { $remote_user = $_SERVER['REMOTE_USER']; } elseif (isset($_SERVER['REDIRECT_REMOTE_USER'])) { $remote_user = $_SERVER['REDIRECT_REMOTE_USER']; } if ($remote_user && preg_match('/^([A-Za-z0-9_\-\.]+)@([A-Za-z0-9_\-.]+)$/', $remote_user, $matches)) { $remote_user = $matches[1]; $realm = $matches[2]; // This can be used later if realms is ever supported properly } break; } if ($remote_user) { if ($auth_conf->ssoRemoteUserStripDomainName) { // might be in form @ or \ $domain = NULL; $exploded = preg_split('/[\@\\\\]/', $remote_user); if (count($exploded) == 2) { if (strpos($remote_user, '@') !== FALSE) { $remote_user = $exploded[0]; $domain = $exploded[1]; } else { $domain = $exploded[0]; $remote_user = $exploded[1]; } } } watchdog('ldap_authentication', '%username : $_SERVER[\'REMOTE_USER\'] found', array('%username' => $remote_user), WATCHDOG_DEBUG); $fake_form_state = array( 'values' => array( 'name' => check_plain($remote_user), 'pass' => user_password(20), ), 'sso_login' => TRUE, ); $user = ldap_authentication_user_login_authenticate_validate(array(), $fake_form_state); if ($user && $user->uid > 0) { if ($auth_conf->seamlessLogin == 1) { setcookie("seamless_login", 'auto login', time() + $auth_conf->cookieExpire, base_path(), ""); $_SESSION['seamless_login'] = 'auto login'; setcookie("seamless_login_attempted", ''); unset($_SESSION['seamless_login_attempted']); } drupal_set_message(theme('ldap_authentication_login_message', array('message' => t('You have been successfully authenticated')))); drupal_goto(''); } else { if ($auth_conf->seamlessLogin == 1) { setcookie("seamless_login", 'do not auto login', time() + $auth_conf->cookieExpire, base_path(), ""); $_SESSION['seamless_login'] = 'do not auto login'; } drupal_set_message(theme('ldap_authentication_message_not_found', array('message' => t('Sorry, your LDAP credentials were not found, ' . 'or the LDAP server is not available. You may log in ' . 'with other credentials on the !user_login_form.', array('!user_login_form' => l(t('user login form'), 'user/login')))) ), 'error'); drupal_goto('user/login'); } } else { watchdog('ldap_authentication', '$_SERVER[\'REMOTE_USER\'] not found', array(), WATCHDOG_DEBUG); if ($auth_conf->seamlessLogin == 1) { setcookie("seamless_login", 'do not auto login', time() + $auth_conf->cookieExpire, base_path(), ""); $_SESSION['seamless_login'] = 'do not auto login'; } drupal_set_message(theme('ldap_authentication_message_not_authenticated', array('message' => t('You were not authenticated by the server. You may log in with your credentials below.') ) ), 'error'); drupal_goto('user/login'); } } else drupal_goto('user/login'); }